We're integrating our asp.net MVC client with WSO2's Identity Server v5.8.0.
Below are the steps we've followed:
1) Created a Service provider for our MVC application & configured Inbound authentication with OAuth/OpenID configuration, also configured Inbound provisioning with primary user store.
2) In our MVC application, we've set up a WSO2 configuration using OWIN's WSO2 NuGet package with the generated client-id & client-secret from the service provider.
3) We've configured MongoDB as our primary user store.
Now we're trying to add a user using SCIM2 API (https://localhost:9443/scim2/Users). Below is the response we're getting:
{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"detail":"Cannot add user through scim to user store . SCIM is not enabled for user store WSO2.COM","status":"500"}
I've even changed below config in user-mgt.xml
<Property name="SCIMEnabled">true</Property>
What else do we need to configure? Is there any other way to add user in WSO2 Identity server apart from using SCIM APIs?
It seems like you are having two user stores the primary user store and a secondary user store named wso2.com. By adding the
<Property name="SCIMEnabled">true</Property>
To the user-mgt.xml you are enabling SCIM2 to the primary user store. Not the secondary user store. But from the API you are adding the user to the secondary user store. Since you havent enabled SCIM in the secondary user store you are getting this error. You have two options.
1) Add the user to PRIMARY user store
By analyzing the error that you are getting the user name of the user that you are trying to add should be some thing like
WSO2.COM/Abhishek
Change this to
Abhishek
2) Enable SCIM2 in the secondary user store
Log in to the management console and click list in User Stores sub menu under identity menu.
The User Store Management page opens. There should be a user store named WSO2.COM
Click on edit. Click on advanced tick the enable scim
Reference: https://docs.wso2.com/display/IS580/Using+the+SCIM+2.0+REST+APIs
Related
I had migrated one user from source wso2 (4.6.0) to target wso2(5.5.0) using insert query in below tables only.
1. UM_USER (The Table contains users username, password etc.)
2. UM_USER_ATRIBUTES (The Table contains user attributes like sn, giveName etc.)
We have using wso2 manage user credential only(user add/delete) that's why we had directly inserted user details
in above tables instead of follows the complete migration step.
we have successfully creating token for migrated user base on password grant_type but unable to login in wso2 admin console using the same credential.
In order to create access tokens, the user doesn't need to have login permission. But in order to log in to management console & dashboard, the particular user should have login permission. Please assign login permission to the user and then login to management console.
I'm using WSO2 with the Airavata science gateway software, and unfortunately some of the instructions for getting started are a little opaque. Two things I'm trying to accomplish:
1) set the "starting" admin username and password. As I understand it, these are set in WSO2 itself / its built in "H2" database, not whatever user/password store it's connected to such as LDAP. I can't find where to set that. I thought it was in user-mgt.xml, but the credentials you set there in the tags appear not to do anything.
2) Airavata uses an API key and secret key to connect to WSO2 IS. I can't find anywhere in the WSO2 setup where this is created.
Help?
1) If you want to set an existing admin user belonging an external user store such as LDAP. You can use the following section in user-mgt.xml
<Realm>
<Configuration>
<AddAdmin>false</AddAdmin>
<AdminRole>admin</AdminRole>
<AdminUser>
<UserName>{Add_Your_Admin_User_Here}</UserName>
<Password>admin</Password>
</AdminUser>
....
</Configuration>
Change "AddAdmin" to false if you do not want to create a new admin user. You can keep the password as it is or leave it blank since it doesn't get used in this mode.
If you want to create a new one then keep the AddAdmin value to true and correct your user store in ReadWrite mode.
2) You should be able to find the under inbound authentication section of the Service Provider,
Service Providers --> [your service provide] --> Inbound Authentication Configuration --> OAuth/OpenID Connect Configuration
I recently updated my environment from WSO2 IS 5.0.0 to WSO2 IS 5.2.0. My environment consists of 2 machines that are creating a cluster (using the WKA membership scheme and Load Balancer(AWS ELB) with sticky session enabled). I am using MySQL(not the default H2 database). The machines on which the IS is deployed are Windows Server 2012 R2 (EC2 AWS machines). I am also using the so called WSO2 IS Admin services.
As mentioned in the heading I am consuming the UserProfileMgtService
(https://url:port/services/UserProfileMgtService?wsdl).
In combination with it I am using OAuth2TokenValidationService
(https://url:port/services/OAuth2TokenValidationService?wsdl).
If I pass valid access token to the OAuth2TokenValidationService I am able to fill in with data OAuth2TokenValidationResponseDTO object by using the Validate method of the OAuth2TokenValidationService. As result I am able to extract the authorizedUser and pass it to the getUserProfile method of the UserProfileMgtService. I am using the standard carbon.super domain and I am using the email as username. For example I am passing the following two parameters to the getUserProfile:
"admin#admin.com#carbon.super" as username
"default" as profileName
And as result I receive the following message:
UserNotFound: User admin#admin.com#carbon.superdoes not exist in: PRIMARY
If I remove the "#carbon.super" from the authorizedUser, everything is fine and I am able to get the user profile information. This is quite important for me since I am using multitenancy of the IS and there is a case that I might have the following users:
admin#admin.com#test.net
admin#admin.com#test2.net
I noticed that this service was not working this way in WSO2 IS 5.0.0. I started experiencing this issue after the upgrade.
Is this a desired behavior and is introduced because of the change in the API in IS 5.2.0? If so is there another way to be able to get the user profile using the "username"+"tenant-domain"(that is retrieved by the OAuth2TokenValidationService as authorized user when passing valid access token).
Is it possible that this is caused because of misconfiguration? If so which is the file that needs to updated and what exactly should be modified in it?
Is there a place where more information could be retrieved for the WSO2 IS 5.2.0 Admin Services?
Thanks in advance.
UserProfileMgtService in Identity Server is an Admin Service. In WSO2 Admin Services, the tenant domain is identified by authenticated user and it should not pass with username.
username should be tenant free username.
So, you can remove carbon.super portion from the username and then it will work.
In tenant setup, you need to authenticate with a tenant user (Ex admin#admin.com#test.net) in order to access these API. So, like in the super tenant, you can use tenant free username and then it will work.
For example, if you want to get user profile of user : testuser#admin.com in tenant domain test.net, your request should be like bellow image.
Thanks
Isura.
I'm trying to create a self-signup client application which is using WSO2 API Manager and Identity Server.
When I tried to call a web service provided by Identity Server, I've observed that some of the java classes are trying to get a tenant admin credential from a registry file called self-signup.xml.
Due to this I am forced to change the tenant's admin credential manually in self-signup.xml whenever I change the admin's credential through carbon UI.
My questions are:
Is there any specific reason that WSO2 Identity Sever gets a tenant admin credential from that registry file rather than retrieving it from a database?
Is there any way to automatically update the tenant admin's credential written on that registry file when the credential is updated in the database (e.g. changed through carbon UI)
Thanks in advance.
What is the web service you are using for self sign up here?
If you are using UserRegistrationAdminService you should not require any admin credential for self sign up.
You should not require to read admin credentials from a file in your client. Usually if you want to call a web service which require authentication from your client, you need an user logged in to your client and you need to use the cookie retrieved by that user.
I am very new to wso2. I try to integrate wso2 identity server 5.0 with an external ldap. I configured it according to this : https://docs.wso2.com/display/IS500/Configuring+a+Read-only+LDAP+User+Store
At the end of the link, it says that try to sign in with admin user but how can I authenticate an another user which is available in LDAP? Is it possible to login to the identity server with another ldap user (other than admin).
Thanks
according the configuration how it is described, a new user 'admin' with 'admin' role is added after startup. I assume you want to log on another user. You should be able to authenticate other users as well for other service providers (applications), but not in the management console. For that the admin role is required.
What you can try is to use the 'dashboard' application ( https://your-is-server-hostname:9443/dashboard/ )
Have fun
g.
Since you are configuring a read-only LDAP as the primary user store,
The user that should have admin permissions is required to be stored in the user store when you start the system for the first time. After that you have to give the login permission for all users in the LDAP user store. Login permission defined under admin permissions, which allows users to login to the management console.
Configure----->Users and Roles----->Roles----->Select "Permissions" of "Internal/everyone" or "Internal/your configured application" that you would like to give the permission.
Select "Login".
Update.
For the more details you can refer [1].
[1] https://docs.wso2.com/display/IS500/Role-based+Permissions